Month: February 2016

There’s one more piece to the puzzle to make monitor mode captures on OS X really functional – Airtool is a freedownload from Adrian Granados. Do yourself a favor, take a short detour to his site here and check out all of his apps. Wifi Signal and Wifi Explorer are both well worth the small cost and do a great job at optimizing your access to the wifi info hitting your machine.

But back to Airtool – free download. Airtool sits in your menu bar and gives you quick draw access to capture settings. Take a look:

Airtool can change the channel in a live capture via the Channel menu

Channel change mid-capture. That’s how we roll.

Airtool can start it’s own captures and then open them in Wireshark for you when stopped. Basically, Airtool is a better interface to the OS X wireless diagnostics capture utility.

Better yet – you can have Airtool disconnect from the current WLAN for you. OS X doesn’t do this well on it’s own (option + click on the wifi icon for the option, but it will usually just reconnect).

You’ll also notice that you can set the capture channel width – dependent of course on your internal NIC’s capabilities.

The preferences menu lets you make some tweaks to the status icon, set the capture file location. With Airtool and Wireshark on OS X, you’ve got all you need to do 0-80 (MHz) in under 10 seconds!

The radiotap header tells us some wireless specific info that might be useful to see in the main packet list, including the channel or frequency that the packet was captured on, but Wireshark doesnt show this in the packet list by default (maybe because wireless captures are for REAL experts 😎):

Let’s edit the displayed columns: Right-click on any of the column headers that you already see, like the Time or Protocol columns, and choose “Column Preferences”.

Alternatively, The “Edit” menu and then “Preferences” > “Columns”.

Click the + button to add a new column, which will show up at the bottom of the table. Click the “Title” field and type in whatever you want the column header to be called (like “Frequency”!). Then click the “Type” field and set it to “Frequency/Channel”:

Lastly, drag the new row up to fit it in where you want to see it. Here I’ve put it in between the Protocol and Length columns.

You can add and remove more columns this way – if you look you’ll also note that you can add columns for the 802.11 RSSI and TX Rate values from the radio tap header:

Note that Wireshark displays the “Frequency/Channel” Column as the Frequency, but the channel is also listed in the radiotap header field in the packet details view. The channel is also available in the 802.11 Radio information:

We can also create a column based on this field. Right click on the line and select “Apply as Column”:

Then go back to your column preferences to see what Wireshark did for you:

We can use just about any field as a column with this method – just let Wireshark find the field ID for you!

Now we can filter and re-order our packets based on the new columns. That’s better!

Unlike Windows, OS X offers the ability to put the wifi NIC into monitor mode without any special drivers, meaning we can actually capture wifi traffic in the air, even if it isn’t specifically destined for our NIC. All we need is Wireshark.

Open the capture interfaces options dialog (look for the gear icon on the toolbar), and make sure to set monitor mode to “enabled” for the Wi-Fi NIC (highlighted below, labeled as “Wi-Fi: en0”). We’ll also want the Link-layer header to be set to “802.11 plus radiotap header” (mine was already set to that option):

Then click the “Start” button on the bottom of the dialog window to start capturing!

I find it helpful to NOT use Wireshark in full screen mode so that I can see the top menu bar at the same time as the Wireshark Start/Stop controls. When in monitor mode, the Wi-Fi icon in the menu bar changes to look like an eyeball overlayed on the typical icon (green highlight mine):

That’s it! We should see beacons, probes and other frames not addressed to our NIC now.

In next posts I’ll note how to setup wireshark to show the channel/frequency and talk about using Airtool to change channels.

Howdy. I am a network engineer with a wifi hobby. I mean (cue Keanu) I know Kung-fu: routing and switching, firewalls, and data centre stuff, but I know wifi is an entirely different beast, and my wireless Kung-fu (henceforth “Wi-fu”) is weak.

Wifi has a well known community on the web. In the words of Keith Parsons: “You HAVE to be on Twitter”. I’ve been a spectator in this community via Twitter for a while, and I’ve learned TONS. But I was recently fortunate to meet some people who are a big deal in wifi (including the guy who actually wrote the book that I used to pass the CWNA certification); and I was able to experience the wifi community first hand.

While it was definitely intimidating at first to be in same room as these guys (the Bruce Lee, Mr Miyagi, and Chuck Norris of wifi), the community has earned a reputation for being inclusive and these black belts were omgsupercoooool ambassadors. Whilst they somewhat mocked my great white north heritage, it was no biggie for a few of us noobs to sit at the cool kids’ table for lunch and share a few drinks after class (eh!).

Which is why Im not surprised that I’m here trying valiantly (VALIANTLY) to not type “Dear Diary…”. The wifi community is also big on contributing to said community, so I was quickly asked about my blog. Everyone in wifi has a blog, so I was a hoser because I didn’t (extrapolation mine alone and tongue in cheek :P).

So now I’m a hoser with a blog. “Net Gain” was the most clever play on wired and wireless networking I could come up with in ten minutes.